I could, but I won't. While your intentions might be honourable enough, there's no guarantee that the next person who reads this thread will have the same innocuous intentions.

You can almost certainly set up suitable logging via your web server to trap the request that's being made that's causing the malicious content to be injected. That should allow you to figure out how to simulate the request, and hence help you close the hole.

Hello Foxclub.
I do agree with your explanations. I'm gonna find a way to test a similar idea and get the client/server messages to guess what happens.
I understand it could be dangerous to publish such code here.